b'INFORMATION SECURITY PROGRAM\n   National Transportation Safety Board\n\n       Report Number: FI-2006-001\n       Date Issued: October 7, 2005\n\x0cU.S. Department of                                                                            Office of Inspector General\nTransportation                                                                                Washington, D.C. 20590\nOffice of the Secretary\nof Transportation\n\n\n\nOctober 7, 2005\n\n\nThe Honorable Mark V. Rosenker\nActing Chairman\nNational Transportation Safety Board\n490 L\xe2\x80\x99Enfant Plaza, SW\nWashington, DC 20594\n\nDear Acting Chairman Rosenker:\n\nThis report presents the results of our audit of the National Transportation Safety\nBoard\xe2\x80\x99s (NTSB) information security program. The Federal Information Security\nManagement Act (FISMA) of 2002 requires each agency to develop, document,\nand implement an agencywide information security program to protect the\ninformation and information systems that support the operations and assets of the\nagency.\n\nThis is the second year that small agencies such as NTSB are required to report to\nthe Congress on their information security program.1 NTSB is responsible for\ninvestigating accidents in all transportation modes to determine the cause, and\nrecommend changes to improve safety and reduce the likelihood and\nconsequences of future accidents. NTSB plays a critical role in ensuring a safe\ntransportation system.\n\nTo support its investigation operations nationwide, NTSB has implemented an\ninformation technology (IT) infrastructure, including communication networks,\ncomputer laboratories, and various software application systems at NTSB\xe2\x80\x99s\nHeadquarters, 10 regional offices, and its Academy. This IT infrastructure enables\nNTSB\xe2\x80\x99s investigators to gather accident evidence, analyze information from voice\nand data recorders, assist victims\xe2\x80\x99 family members, and provide accident\n\n\n1\n    FISMA requires 24 large Federal agencies to report annually to the Congress on their information security programs.\n    Last year the Office of Management and Budget expanded FISMA reporting requirements to all Departments and\n    agencies that are subject to the Paperwork Reduction Act of 1995, including NTSB.\n\nReport No. FI-2006- 001\n\x0c                                                                                                            2\n\n\ninvestigation results to the American public. NTSB invested about $2.7 million in\nIT system operations in Fiscal Year (FY) 2005.\n\nResponding to FISMA requirements, the Department of Transportation\xe2\x80\x99s Office of\nInspector General (OIG) performed an audit of NTSB\xe2\x80\x99s information security\nprogram last year for the first time. We found that NTSB lacked basic information\nsecurity elements such as a system inventory, process to certify and accredit\nsystems security, mechanisms to identify network vulnerabilities, and ability to\nrespond to security incidents in a timely manner.\n\nAs a result, we reported to NTSB that its information security program should be\nreported to OMB as a material weakness under the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) of 1982 and recommended immediate corrective actions.2\nNTSB management had agreed to take aggressive actions, including appointment\nof a Chief Information Officer (CIO) to lead the effort.\n\nThis year, we did a follow-up review of NTSB\xe2\x80\x99s information security program and\nnetwork security. The objectives were to determine whether (1) NTSB has made\nadequate progress in implementing the planned actions, (2) network connections\nto outside entities, including the Internet, are adequately protected to prevent cyber\nattacks, and (3) internal network computers are properly configured to reduce the\nrisk of attacks.\n\nWe conducted the performance audit in accordance with Generally Accepted\nGovernment Auditing Standards as prescribed by the Comptroller General of the\nUnited States, and performed such tests as we considered necessary to detect\nfraud, waste, and abuse. Our input to NTSB\xe2\x80\x99s annual FISMA report to OMB is in\nEnclosure 1. Our scope and methodology are described in Enclosure 2.\n\n\nRESULTS IN BRIEF\nWhile a CIO was appointed in September 2004, NTSB has made limited progress\nin enhancing its information security program. Our review of the network security\ncontrols also identified a significant number of vulnerabilities that exposed NTSB\ncomputers to unauthorized access from both inside and outside of the agency.\nDuring the audit, our staff was able to crack the password in an Internet router that\nis used to control access from the Internet. In addition, we were able to obtain\nsensitive investigation information from NTSB computers, including real-time\naudio recording between air traffic controllers and pilots during an accident.\n\n\n2\n    OIG Report Number FI-2004-097, \xe2\x80\x9cNTSB Information Security Program,\xe2\x80\x9d September 28, 2004. OIG reports can be\n    found at www.oig.dot.gov.\n\n\nReport No. FI-2006- 001\n\x0c                                                                                              3\n\n\nAccordingly, it is our opinion that NTSB\xe2\x80\x99s information security program remains\na material weakness to its safety investigation mission.\n\nThe following summarizes what we found.\n\nNTSB did not make a strong commitment to implement an agencywide\ninformation security program as promised. The following summarizes the\nstatus of NTSB\xe2\x80\x99s corrective actions (see Table 1).\n\n  Table 1. Delays in Implementing Planned Corrective Actions\n Recommended Corrective Actions                    Target Completion   Current Status as of\n                                                                       September 30, 2005\n 1. Appoint a Chief Information Officer                                Completed\n 2. Implement an information security program\n 2a. Provide security training to employees        December 31, 2004   82% completed\n 2b. Complete an information systems inventory     December 31, 2004   Open\n 2c. Establish a schedule to have systems security December 31, 2004   Open\n     certified and accredited\n 2d. Provide guidelines for developing security    December 31, 2004   Open\n     plans\n 2e. Document security weaknesses and              December 31, 2004   Open\n     corrective actions\n 3. Enhance network security\n 3a. Correct high- and medium-risk network         December 31, 2004   85% completed\n     vulnerabilities identified\n 3b. Configure and patch computers securely        March 31, 2005      Open\n 3c. Scan networks for potential vulnerabilities   June 30, 2005       Open\n     and deploy an intrusion-detection system\n\n\nUntil an agencywide information security program is established, NTSB\nmanagement cannot assure the public that its computer systems are adequately\nsecured to ensure integrity, confidentiality, and availability of its safety\ninvestigation mission.\n\nAccording to the CIO, the delay in implementing these corrective actions was\npartially due to the inability to secure funding when competing with other\noperational needs. During the first quarter of FY 2005, the CIO initiated action to\naward a contract to help finalize the NTSB system inventory, develop security\npolicies and procedures, and conduct security certification reviews on selected\nsystems. However, the funding was not approved until June 2005\xe2\x80\x94after the\n\n\nReport No. FI-2006- 001\n\x0c                                                                                                                4\n\n\nnewly appointed NTSB Managing Director became aware of limited progress in\nthis area. NTSB awarded a contract in August and the actual contract work started\nSeptember 13, 2005\xe2\x80\x94almost a year later than originally planned.\n\nNTSB computers are vulnerable to unauthorized access from both inside and\noutside of the agency. We found weak password encryption in NTSB\xe2\x80\x99s routers3\nand vulnerabilities in its computers. As a result, we were able to take control over\nthe routers and could have reconfigured them to allow unauthorized entities to\naccess NTSB computers from the Internet. In addition, like last year, we obtained\nsensitive information from NTSB computers without being detected.\n\n      Connections to the Internet were not adequately protected. Employees are\n      allowed to access NTSB computer systems from the Internet. NTSB relies on\n      its network routers to prevent unauthorized access to its internal network and\n      direct legitimate network traffic between NTSB Headquarters and regional\n      offices. Although its routers were reasonably configured, they did not have\n      proper password protection, as required by Government standards. NTSB\n      provided us with the configuration files that contained the router passwords.\n      Even though the passwords were encrypted for security protection, we were\n      able to easily crack all passwords. As a result, we gained total control (root-\n      level access) over its Internet router from the Internet. As an insider, we could\n      also gain total control of other internal routers. With root-level access to all\n      NTSB routers, we could have changed configuration settings to open paths\n      from the Internet to allow unauthorized entities to access NTSB\xe2\x80\x99s private\n      network. Once inside the private network, the entities could obtain sensitive\n      information from NTSB computers or launch attacks to disrupt its operations.\n\n      Computers hosted on the private network were vulnerable. We used a\n      commercial scanning software tool to perform a vulnerability assessment of\n      computers hosted on the NTSB network. We found over 1,400 potential high-\n      risk vulnerabilities, which could allow insiders\xe2\x80\x94NTSB employees,\n      contractors, and business associates\xe2\x80\x94to gain unauthorized access to NTSB\n      business information stored on these computers. For example, our staff was\n      able to obtain sensitive investigative information from these computers\n      including real-time audio recording between air traffic controllers and pilots\n      during an accident.\n\n      Last year, we performed a similar but more limited vulnerability check and\n      found hundreds of high-risk vulnerabilities.4 We recommended that, in\n\n3\n    Routers are network devices. They are used to screen network activities to prevent unauthorized access to an\n    organization\xe2\x80\x99s internal networks and direct legitimate network traffic among its internal networks.\n4\n    Last year our network assessment performed about 400 vulnerability checks versus more than 1,200 vulnerability\n    checks performed this year.\n\n\nReport No. FI-2006- 001\n\x0c                                                                                    5\n\n\n   addition to correcting these vulnerabilities, NTSB management obtain proper\n   tools so that it could assess network vulnerabilities regularly. NTSB has\n   corrected about 85 percent of the high-risk vulnerabilities we identified last\n   year and procured a software tool for vulnerability assessment. However, it\n   did not have trained staff to utilize the tool and accordingly was not aware of\n   these additional high-risk vulnerabilities. Conducting frequent network\n   vulnerability assessments is critical because new vulnerabilities, such as the\n   ones exploited by computer viruses, are uncovered daily.\n\n   Security incident monitoring and response capabilities are still lacking.\n   Like last year, our unauthorized access to NTSB computers went undetected\n   because NTSB has not implemented an intrusion-detection system to identify\n   potential security breaches on its network. To secure a computer network,\n   management needs to not only patch/eliminate vulnerabilities in computers but\n   also develop the capability to identify and respond to security incidents. This\n   detective control is especially critical to networks with direct connections to\n   the Internet because of relentless attacks by hackers worldwide. For example,\n   Government agencies with intrusion-detection systems deployed on their\n   networks have reported hundreds of potential security breaches on a daily\n   basis.\n\nWe are making specific recommendations to enhance network security. NTSB\nmanagement concurred with, and has begun implementing, recommended\ncorrective actions. In addition, we recommend that the Acting Chairman require\nthe Chief Information Officer to submit monthly reports to the Managing Director\non progress made in finalizing a system inventory, developing security plans, and\naccrediting systems security.\n\n\nFINDINGS\n\nNTSB Did Not Make a Strong Commitment To Implement an\nAgencywide Information Security Program as Promised\nIn last year\xe2\x80\x99s FISMA report, we made a series of recommendations to enhance\nNTSB\xe2\x80\x99s information security program and NTSB management agreed to take\ncorrective actions. During FY 2005, NTSB made little progress implementing our\nrecommendations. It appointed a CIO, provided security awareness training to 82\npercent of its employees and specialized training to all employees with significant\nsecurity responsibility, and initiated an effort to hire a contractor to perform tasks\nto meet FISMA requirements. However, most of the recommended actions have\nnot yet been implemented.\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                                                                     6\n\n\nFISMA requires each agency, through the CIO, to implement an agencywide\ninformation security program to protect the information and information systems\nthat support the operations and assets of the agency. To effectively implement this\nprogram, agencies need to develop and implement security plans, and maintain a\nsystem inventory. As part of its responsibilities under FISMA, OMB also requires\nagencies perform security certification reviews on their information systems.\nHowever, we continue to find that these requirements have not been implemented\nat NTSB.\n\nNTSB did not:\n\n      Have an inventory of all the information systems used to support its\n      operational needs;\n\n      Develop security plans for protecting its information systems, which should\n      address rules of behavior for system use, training requirements for security\n      responsibilities, personnel controls, technical controls, continuity of operations,\n      incident response capabilities, and system interconnections;5\n\n      Require information systems to be certified as adequately secured\n      commensurate with operational risks before accreditation for business use; and\n\n      Document security weaknesses and corrective actions in Plan of Actions and\n      Milestones, as required by OMB.\n\nUntil an agencywide information security program is established, NTSB\nmanagement cannot assure the public that its computer systems are adequately\nsecured to ensure integrity, confidentiality, and availability of its safety\ninvestigation mission.\n\nThis was because NTSB had not made a strong commitment as promised and did\nnot assign a high enough priority to implement an effective information security\nprogram. During the first quarter of FY 2005, NTSB initiated an effort to award a\ncontract, which includes finalizing NTSB\xe2\x80\x99s system inventory, developing security\npolicies and procedures, and conducting security certification reviews on the\nselected systems. However, according to the NTSB CIO, the funding for this\ncontract did not get NTSB management\xe2\x80\x99s approval until the end of June 2005.\nNTSB awarded this contract in August and the actual contract work did not start\nuntil September 13, 2005, almost one year later than originally planned. Without\nthe contract, NTSB was not able to implement the key FISMA requirements.\n\n\n5\n    National Institute of Standards and Technology, Guide for Developing Security Plans for Information Technology\n    Systems, Special Publication 800-18 (December 1998).\n\n\nReport No. FI-2006- 001\n\x0c                                                                                   7\n\n\nNTSB Computers Were Vulnerable to Unauthorized Access from\nBoth Inside and Outside of the Agency\nWe continue to identify security weaknesses in NTSB\xe2\x80\x99s networks, such as\ninadequate password protection in the Internet router, thousands of vulnerabilities\nin network computers and lack of intrusion-detection and monitoring capabilities.\nAs a result, our staff was able to take control over the Internet router and obtained\nsensitive investigation information from NTSB computers without being detected.\n\n   Network Routers Not Properly Protected\n\n   We reviewed configurations of 13 NTSB routers, which are used to screen\n   network activities to prevent unauthorized access to NTSB\xe2\x80\x99s internal network\n   and direct legitimate network traffic between NTSB Headquarters and regional\n   offices. Although our review showed that the NTSB routers are reasonably\n   configured to protect its internal network, we found that NTSB did not use\n   strong password encryption to adequately protect its routers, which could\n   present a potential risk to the entire NTSB network.\n\n   NTSB provided us with configuration files for the 13 routers. These files\n   contained the encrypted passwords. However, by using basic password\n   cracking software available on the Internet, we were able to crack within\n   minutes the weak passwords for all 13 NTSB routers located throughout NTSB\n   Headquarters and its field offices. In fact, using the decrypted passwords we\n   were able to have total control (root-level access) over NTSB\xe2\x80\x99s Internet router\n   from anywhere in the world. As an insider, we could also gain total control to\n   the other 12 routers. With root-level access to all NTSB routers, we could\n   have changed configuration settings to open paths from the Internet to allow\n   unauthorized entities to access NTSB computers and information stored on its\n   private network.\n\n   These vulnerabilities existed because NTSB did not comply with the\n   Government security configuration requirements and industry best practice\n   when applying password security in network routers. To prevent easy\n   password cracking, the National Institute of Standards and Technology\n   recommends Government agencies to encrypt critical passwords with a 128-bit\n   algorithm or higher. However, passwords in NTSB\xe2\x80\x99s routers were encrypted\n   with a weaker manufacturer\xe2\x80\x99s algorithm, which provided little security\n   assurance and can be easily cracked with common software.\n\n   In response to our finding, NTSB management has already begun upgrading\n   security protection in its network routers.\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                                                                  8\n\n\n      Network Vulnerabilities Not Assessed\n\n      According to the NTSB progress report in March 2005, NTSB took action to\n      eliminate 85 percent of high and medium network vulnerabilities we identified\n      last year, acquired network scanning software, and set June 30, 2005 as its\n      target date for having staff trained in using this software to perform network\n      vulnerability assessments. To verify the strength of NTSB\xe2\x80\x99s network security,\n      we performed a network vulnerability assessment on NTSB internal networks.\n      Our assessment results once again demonstrated that NTSB internal networks\n      are vulnerable to attacks.\n\n      Last year, we performed a similar but more limited vulnerability check and\n      found hundreds of high-risk vulnerabilities. This year, we expanded the\n      vulnerability check and found more than 28,100 potential vulnerabilities (1,400\n      high-risk, 1,900 medium-risk and 24,800 low-risk)6 on NTSB network\n      computers, some of which were also identified last year.\n\n      These vulnerabilities could allow insiders--NTSB employees, contractors, and\n      business associates\xe2\x80\x94to gain unauthorized access to NTSB business\n      information stored on these computers. For example, one of the most\n      commonly known vulnerabilities is weak security over the administrator\xe2\x80\x99s\n      account in a computer. Hackers always look for opportunities to use this\n      privileged account as an entry point to gain controls over the entire computer.\n      We found that among the 17 computers that we could take control over, 15 of\n      them used blank passwords for the administrator account and 2 used\n      \xe2\x80\x9cAdministrator\xe2\x80\x9d as its password. Accordingly, hackers could easily gain total\n      control (root-level access) over these computers, change computer\n      configuration (setup), install malicious software, or add/change/delete all files\n      stored in these computers. In fact, we did obtain sensitive investigation\n      information from these computers, including real-time audio recording\n      between air traffic controllers and pilots during an accident.\n\n      Despite the effort of correcting 85 percent of the vulnerabilities we identified\n      last year, NTSB continues to have a significant amount of network\n      vulnerabilities because NTSB:\n\n      \xe2\x80\xa2 Does not have a procedure in place to ensure that its computers are\n        adequately configured before being put on the networks. Six of the\n        computers with blank password protection over the administrator\xe2\x80\x99s account\n        were put on the network during FY 2005.\n\n6\n    High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Medium- and low-risk vulnerabilities may provide an attacker with useful\n    information, such as password files, they can then use to compromise a computer system.\n\n\nReport No. FI-2006- 001\n\x0c                                                                                   9\n\n\n\n   \xe2\x80\xa2 Has not utilized the vulnerability scanning software acquired in October\n     2004. According to NTSB officials, this tool was not utilized due to lack of\n     trained staff.    While the training funds were available, NTSB had\n     difficulties in allocating existing personnel resources to assume this\n     additional responsibility. Conducting frequent network vulnerability\n     assessments is critical because new vulnerabilities, such as the ones\n     exploited by computer viruses, are uncovered daily.\n\n   Security Incident Monitoring and Response Capabilities Still Lacking\n\n   Like last year, our unauthorized access to NTSB computers went undetected\n   because NTSB has not implemented an intrusion detection system to identify\n   potential security breaches on its network, as we recommended a year ago.\n\n   Intrusion detection is the process of detecting unauthorized use of, or attack\n   upon, a computer or network. Intrusion-detection systems are software or\n   hardware systems that detect such misuse. The National Institute of Standards\n   and Technology recommends deploying such systems as necessary additions to\n   an organization\'s security infrastructure. This security is particularly important\n   to organizations with direct connections to the Internet because of constant\n   hacking attacks. For example, Government agencies with intrusion-detection\n   systems deployed on their networks have reported hundreds of potential\n   security breaches on a daily basis.\n\n   Installing an intrusion-detection system is a critical step for agencies in\n   developing a security incident monitoring and response capability. Knowing\n   that small agencies may not have technical resources to develop this capability,\n   the Office of Management and Budget (OMB) has initiated an effort for\n   qualified entities (Centers of Excellence) to provide cross-agency services in\n   this area. The General Services Administration is taking the lead to implement\n   this effort, called the Information Security Services Line of Business. NTSB\n   should consider using this service as soon as possible.\n\nAs we demonstrated, NTSB computer networks remain vulnerable. Also, the lack\nof progress in implementing an agencywide information security program\ncontinues to put the integrity, confidentiality, and availability of NTSB business\noperations at risk. In our opinion, this constitutes a significant deficiency and\nshould be reported as a material internal control weakness on the annual FMFIA\nreport to OMB and Congress.\n\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                               10\n\n\nRECOMMENDATIONS\nWe recommend that the NTSB Acting Chairman:\n\n1. Ensure that NTSB\xe2\x80\x99s information security program receives the priority and\n   funding to accomplish the following in FY 2006:\n\n   a) Finalizing the system inventory and completing risk assessment for all\n      systems in accordance with Federal Information Processing Standards 199.\n\n   b) For high-risk systems, completing security certification and accreditation\n      reviews and documenting planned actions and milestones for remediation.\n\n   c) For the remaining medium- and low-risk systems, establishing a timetable\n      to complete security certification and accreditation reviews.\n\n2. Require the Chief Information Officer to submit monthly reports to the\n   Managing Director describing progress made in implementing the following\n   critical elements of an agencywide information security program.\n\n   a) Finalizing the system inventory.\n\n   b) Issuing guidance for system owners to develop security plans.\n\n   c) Assisting senior management in accrediting systems security.\n\n   d) Implementing a mechanism to track and prioritize security weakness\n      correction efforts, as required by OMB.\n\n   e) Ensuring all employees receive security awareness training annually.\n\n3. Direct the Chief Information Officer to take immediate actions to enhance\n   network security by:\n\n   a) Enhancing security protection of passwords on network routers, such as\n      using stronger password encryption.\n\n   b) Developing procedures to ensure computers are properly configured before\n      being implemented for production use.\n\n   c) Providing proper training and performing vulnerability assessments of all\n      network computers with the acquired scanning tool on a regular basis.\n\n   d) Establishing    network   security   incidents   monitoring   and   response\n      capabilities.\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                               11\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\nA draft of this report was provided to the NTSB Acting Chairman for comments\non September 23, 2005. The Acting Chairman responded on October 7, 2005, and\nconcurred with all recommendations (see Appendix). The actions planned by\nNTSB are reasonable and should provide a solid foundation for implementing an\neffective information security program. We will continue monitoring NTSB\xe2\x80\x99s\nprogress in implementing these recommendations.\n\nNTSB\xe2\x80\x99s response also included comments regarding our characterization of the\nvulnerability of its Internet connections. We acknowledge that NTSB may have\nother protections built into its overall network infrastructure\xe2\x80\x94protections that\nmake system intrusion by the general public unlikely. However, as noted in the\nreport, we base our conclusion about NTSB\xe2\x80\x99s systems\xe2\x80\x99 vulnerability on the\ncumulative risk inherent in the systems\xe2\x80\x99 present architecture. By gaining root-\nlevel access to 13 NTSB routers, we could have changed configuration settings to\nopen paths from the Internet to allow unauthorized entities to access NTSB\ncomputers and information stored on its private network. Despite the presence of\na firewall between the routers, the ability to reconfigure these routers to allow\nunauthorized network traffic through the firewall may not be difficult when\nattempted by those with sophisticated knowledge of computers.\n\nWe appreciate the courtesies and cooperation of National Transportation Safety\nBoard representatives during this audit. If you have any questions concerning this\nreport, please call me at (202) 366-1992 or Rebecca C. Leng, Assistant Inspector\nGeneral for Information Technology and Computer Security, at (202) 366-1488.\n\nSincerely,\n\n\n\n\nTheodore P. Alves\nPrincipal Assistant Inspector General for\n Auditing and Evaluation\n\nEnclosures (3)\n\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                        Enclosur e 1\n                                                                        Page 1 of 4\n\n\n\nENCLOSURE 1. OFFICE OF INSPECTOR GENERAL INPUT TO\nFISMA REPORT\nThis is the second year that NTSB has been required to comply with FISMA,\nwhich requires independent evaluation of agencies\xe2\x80\x99 information security\nprograms. NTSB is responsible for investigating accidents in all transportation\nmodes to determine their cause, and for recommending changes to improve safety\nand reduce the likelihood and consequences of future accidents.\n\nResponding to FISMA requirements, the Department of Transportation\xe2\x80\x99s Office of\nInspector General (OIG) performed an audit of NTSB\xe2\x80\x99s information security\nprogram last year for the first time. We reported to NTSB that its information\nsecurity program should be reported to OMB as a material weakness under the\nFMFIA and recommended immediate corrective action. NTSB management\nagreed to take aggressive action, including appointing a Chief Information Officer\nto lead the effort. While a Chief Information Officer was appointed last\nSeptember, NTSB is behind in implementing the planned actions to enhance its\ninformation security program. Since only limited progress has been made, we\nperformed a limited review focusing on NTSB network security.\n\nOur independent evaluation continues to identify significant security weaknesses\nin NTSB\xe2\x80\x99s networks, such as inadequate password protection in the Internet\nrouter, thousands of vulnerabilities in network computers, and lack of intrusion-\ndetection capabilities. These security weaknesses enabled us to gain unauthorized\naccess to sensitive information, including real-time audio recording between air\ntraffic controllers and pilots during an accident.\n\nThe lack of progress in implementing an agencywide information security\nprogram continues to put the integrity, confidentiality, and availability of NTSB\nbusiness operations at risk. In our opinion, this constitutes a significant deficiency\nand should be reported as a material internal control weakness on the annual\nFMFIA report to OMB and the Congress.                    We are making specific\nrecommendations to enhance network security. NTSB management concurred\nwith, and has begun implementing, recommended corrective actions. Until an\nagencywide information security program is established, NTSB management\ncannot assure the public that its computer systems are adequately secured to\nensure the integrity, confidentiality, and availability of its safety investigation\nmission.\n\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                                                                                                                                                                                                 Enclosure 1\n                                                                                                                                                                                                                                                 Page 2 of 4\n\n\n\n                                                                                         Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                             Agency Name: National Transportation Sefety Board\n\n\n\n\n                                                                                                                Question 1 and 2\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n\n             To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n             1) Continue to use NIST Special Publication 800-26, or,\n             2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n             Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n             requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems\nwhich have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n\n                                                                                                   Question 1                                                                                  Question 2\n                                                                        a.                             b.                             c.                            a.                          b.                         c.\n                                                               FY 05 Agency Systems             FY 05 Contractor            FY 05 Total Number of         Number of systems          Number of systems for Number of systems for which\n                                                                                                    Systems                        Systems              certified and accredited     which security controls contingency plans have been\n                                                                                                                                                                                      have been tested and     tested in accordance with\n                                                                                                                                                                                    evaluated in the last year    policy and guidance\n\n\n\n\n                                    FIPS 199 Risk Impact         Total         Number          Total        Number                        Number         Total        Percent of       Total       Percent of\nBureau Name                                 Level               Number        Reviewed        Number       Reviewed       Total Number   Reviewed       Number          Total         Number         Total       Total Number Percent of Total\nNTSB                                   High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                 1              0              1              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             1              0              1              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0    #DIV/0!                 0     #DIV/0!\nBureau                                 High                                                                                          0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                       Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                       #DIV/0!\n                                   Sub-total                             0               0             0              0              0              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\nAgency Totals                          High                              0               0             0              0              0              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\n                                       Moderate                          0               0             0              0              0              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\n                                       Low                               0               0             0              0              0              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\n                                       Not Categorized                   0               0             1              0              1              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\n                                   Total                                 0               0             1            0                1              0            0     #DIV/0!                 0     #DIV/0!                   0    #DIV/0!\n                                                                                                                   Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n\n                                   The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                   agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                   national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 requirements by a contractor\n                                   or other organization is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n\n                                   Response Categories:\n                3.a.                                                                                                                                                 - Rarely, for example, approximately 0-50% of the time"\n                                        - Rarely, for example, approximately 0-50% of the time\n                                        - Sometimes, for example, approximately 51-70% of the time\n                                        - Frequently, for example, approximately 71-80% of the time\n                                        - Mostly, for example, approximately 81-95% of the time\n                                        - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\nReport No. FI-2006-001\n\x0c                                                                                                                                                                                                                                                 Enclosure 1\n                                                                                                                                                                                                                                                 Page 3 of 4\n\n                                     The agency has developed an inventory of major information systems (including major national security systems) operated\n                                     by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                     systems or networks, including those not operated by or under the control of the agency.\n\n                                     Response Categories:\n                3.b.                      - Approximately 0-50% complete                                                                                                  - Approximately 0-50% complete\n                                          - Approximately 51-70% complete\n                                          - Approximately 71-80% complete\n                                          - Approximately 81-95% complete\n                                          - Approximately 96-100% complete\n\n\n\n\n                3.c.                 The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                       no\n\n\n\n                                     The OIG generally agrees with the CIO on the number of information systems\n                3.d.                 used or operated by a contractor of the agency or other organization on behalf of the agency.                                                                      no\n\n\n\n\n                3.e.                 The agency inventory is maintained and updated at least annually.                                                                                                  no\n\n\n\n\n                 3.f.                The agency has completed system e-authentication risk assessments.                                                                                                 no\n\n\n                                                                                                                     Question 4\n\n\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                     The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                4.a.                                                                                                                                                - Rarely, for example, approximately 0-50% of the time"\n                                     systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n\n                                     When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                4.b.                                                                                                                                                - Rarely, for example, approximately 0-50% of the time"\n                                     implement, and manage POA&Ms for their system(s).\n\n\n\n\n                                     Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                4.c.                                                                                                                                                - Rarely, for example, approximately 0-50% of the time"\n                                     progress.\n\n\n\n\n                4.d.                 CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                   - Rarely, for example, approximately 0-50% of the time"\n\n\n                4.e.                 OIG findings are incorporated into the POA&M process.                                                                          - Rarely, for example, approximately 0-50% of the time"\n\n\n                                     POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                               - Rarely, for example, approximately 0-50% of the time"\n                                     timely manner and receive appropriate resources\n\nComments: NTSB did not meet key FISMA requirements during FY 2005, such as having a complete system inventory, performing certification and accreditation (C&A) on the identified systems, reporting security\nweakness and corrective action plan (POA&M) to OMB, and developing security plan and related policies. NTSB hired a contractor in September 2005 to start implementing key FISMA requirements.\n\n\n\n                                                                                                                     Question 5\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans .\n\n\n\n\n                                     Assess the overall quality of the Department\'\n                                                                                 s certification and accreditation process.\n\n                                     Response Categories:\n                                          - Excellent\n                                          - Good                                                                                                                    - Failing\n                                          - Satisfactory\n                                          - Poor\n                                          - Failing\n\n\n\nComments: NTSB has not performed security certification reviews on any of its information systems. NTSB hired a contractor to finalize its system inventory and will perform C&A reviews on selected systems.\n\n\n\n\nReport No. FI-2006-001\n\x0c                                                                                                                                                                                         Enclosure 1\n                                                                                                                                                                                         Page 4 of 4\n                                                                  Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                       Agency Name:\n\n\n                                                                                        Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                             No\n                        Yes or No.\n\n                        Comments: NTSB currently does not have an agency wide security configuration policy. However, a desktop configuration standard (Windows XP) is\n                        under development. The configuration guides for other software products will be established by the NTSB contractor.\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n\n\n\n\n                                                                                                                           Approximate the extent of implementation of the security\n                                                                                                                           configuration policy on the systems running the software.\n\n                                                                                                                           Response choices include:\n                                                                                                                           - Rarely, or, on approximately 0-50% of the\n                                                                                                                             systems running this software\n              Product                                                                                                      - Sometimes, or on approximately 51-70% of\n                                                                                                                             the systems running this software\n                                                                                                                           - Frequently, or on approximately 71-80% of\n                                                                  Addressed in agencywide                                    the systems running this software\n                                                                          policy?             Do any agency systems        - Mostly, or on approximately 81-95% of the\n                                                                                                run this software?           systems running this software\n                                                                                                                           - Almost Always, or on approximately 96-100% of the\n                                                                            Yes, No,                                       systems running this software\n                                                                            or N/A.                   Yes or No.\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows XP Professional\n                                                                                 No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of   the systems\n              Windows NT\n                                                                                 No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of   the systems\n              Windows 2000 Professional\n                                                                                 No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of   the systems\n              Windows 2000 Server\n                                                                                 No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of   the systems\n              Windows 2003 Server\n                                                                                 No                      Yes               running this software\n              Solaris                                                            No                      No\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              HP-UX                                                              No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Linux                                                              No                      Yes               running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n               Cisco Router IOS                                                  No                      Yes               running this software\n              Oracle                                                             No                      No\n\n              Other. Specify:\nComments: OIG network assessment identified many security weaknesses. However, NTSB hired a contractor to establish configuration management\nstandards.\n\n\n                                                                                        Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n       7.a.             incidents internally.                                                                                                           No\n                        Yes or No.\n                        The agency follows documented policies and procedures for external reporting to law\n       7.b.             enforcement authorities.                                                                                                        No\n                        Yes or No.\n                        The agency follows defined procedures for reporting to the United States Computer\n       7.c.             Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                      No\n                        Yes or No.\nComments: NTSB has no incident reporting policies and procedures internally or externally. However, NTSB hired a contractor to develop policies and\nprocedures on incident response.\n\n\n                                                                                        Question 8\n\n                        Has the agency ensured security training and awareness of all employees, including\n                        contractors and those employees with significant IT security responsibilities?\n\n                        Response Choices include:\n                        - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                                                            - Mostly, or approximately 81-95% of employees have\n         8               - Sometimes, or approximately 51-70% of employees have sufficient training                        sufficient training\n                         - Frequently, or approximately 71-80% of employees have sufficient training\n                         - Mostly, or approximately 81-95% of employees have sufficient training\n                         - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                                        Question 9\n\n\n\n                        Does the agency explain policies regarding peer-to-peer file sharing in IT security\n         9              awareness training, ethics training, or any other agency wide training?                                                         Yes\n                        Yes or No.\n\n\n\n\nReport No. FI-2006-001\n\x0c                                                                    Enclosur e 2\n\n\n\n\nENCLOSURE 2. SCOPE AND METHODOLOGY\nTo fulfill the requirements under FISMA, we reviewed the NTSB information\nsecurity program. We also provided input to NTSB\xe2\x80\x99s FISMA report by answering\nquestions specified by OMB.\n\nWe interviewed the key network administration and management officials in the\nOffice of Research and Engineering to gather information on implementation\nstatus of NTSB\xe2\x80\x99s information security program. Based on the collected\ninformation, we provided answers to OMB\xe2\x80\x99s questions on FISMA reporting. By\nusing commercial scanning software, we performed a limited vulnerability\nassessment of NTSB private networks, dial-up connections and configuration of\nNTSB routers. Due to time constraints, we performed limited penetration tests by\nexploiting some of the identified vulnerabilities.\n\nWe performed our work between July and September 2005 at NTSB Headquarters\nin Washington, DC. The performance audit was conducted in accordance with the\nGenerally Accepted Government Auditing Standards prescribed by the\nComptroller General of the United States, and included such tests as we\nconsidered necessary to provide reasonable assurance of detecting abuse or illegal\nacts.\n\n\n\n\nReport No. FI-2006- 001\n\x0c                                                    Enclosur e 3\n\n\n\n\nENCLOSURE 3. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\n   Name                      Title\n\n   Rebecca C. Leng           Assistant Inspector General for\n                              Information Technology and\n                              Computer Security\n\n   Edward Densmore           Program Director\n\n   Dr. Ping Z. Sun           Project Manager\n\n   John M. Johnson           Senior IT Specialist\n\n   Aaron Nguyen              Computer Scientist\n\n   Michael P. Fruitman       Communications Adviser\n\n\n\n\nReport No. FI-2006- 001\n\x0c                                                                          Page 1 of 5\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n                                       National Transportation Safety Board\n                                                          Washington, D.C. 20594\n\n                                                            October 7, 2005\nOffice of the Chairman\n\n\n\nMr. Theodore P. Alves\nPrincipal Assistant Inspector General for\n Auditing and Evaluation\nU.S. Department of Transportation\n400 7th Street, SW\nWashington, DC 20590\n\nDear Mr. Alves:\n\n        Thank you for the opportunity to provide comments on the draft report of your\nfollow-up review of the National Transportation Safety Board\xe2\x80\x99s information security\nprogram and network security. We do not dispute the observation that the development\nof the NTSB\xe2\x80\x99s information security program has not progressed as rapidly as we had\nhoped. We have, however, devoted considerable resources to this process and are\ncommitted to its completion.\n\n      We concur with the report\xe2\x80\x99s conclusion that the Safety Board\xe2\x80\x99s lack of a formal\nagency-wide information security program represents a material internal control\nweakness, and we have reflected that conclusion in our report to Office of Management\nand Budget and to Congress under the Federal Manager\xe2\x80\x99s Financial Integrity Act\n(FMFIA) of 1982.\n\n       If you have any questions, please contact Mr. Joseph Osterman, Managing\nDirector, at (202) 314-6060.\n\n                                                          Sincerely,\n\n\n\n                                                          Mark V. Rosenker\n                                                          Acting Chairman\n\n\nEnclosure\n\n\n\nReport No. FI-2006-001\n\x0c                                                                    Page 2 of 5\n\n\n                                ENCLOSURE\n\n\nDOT IG RECOMMENDATIONS:\n\nRecommendation 1: Ensure that NTSB\xe2\x80\x99s information security program receives\nthe priority and funding to accomplish the following in FY 2006:\n       a) Finalizing the system inventory and completing risk assessment for all\n           systems in accordance with Federal Information Processing\n           Standards 199.\n           Response: Concur. The system inventory and FIPS 199 risk assessment\n           for all systems will be completed on 10-31-05.\n\n      b) For high-risk systems, completing security certification and\n         accreditation reviews and documenting planned actions and\n         milestones for remediation.\n         Response: Concur. If the 10-31-05 final assessment identifies any\n         high-risk systems, defined as systems which the loss of confidentiality,\n         integrity, or availability of the system could be expected to have a\n         severe or catastrophic effect on organizational operations,\n         organizational assets, or individuals, the NTSB will complete a plan\n         with milestones for remediation for any high-risk system by November\n         30, 2005.\n\n      c) For the remaining medium- and low-risk systems, establishing a\n         timetable to complete security certification and accreditation reviews.\n         Response: Concur. A plan of action with milestones for the\n         accomplishment of certification and accreditation for all remaining\n         systems and major applications will be completed by January 9, 2006.\n\nRecommendation 2: Require the Chief Information Officer to submit monthly\nreports to the Managing Director describing progress made in implementing the\nfollowing critical elements of an agency wide information security program.\n       a) Finalizing the system inventory,\n       b) Issuing guidance for system owners to develop security plans,\n       c) Assisting senior management in accrediting systems security,\n       d) Implementing a mechanism to track and prioritize security weakness\n           correction efforts, as required by OMB;\n       e) Ensuring all employees receive security awareness training annually.\n\n      Response: Concur. The CIO will report daily to the Managing Director on\n      progress until October 31, 2005, and then monthly thereafter.\n                 i. The system inventory will be completed by October 31, 2005.\n                ii. Security plan guidance will be completed by January 9, 2006.\n\nReport No. FI-2006-001\n\x0c                                                                        Page 3 of 5\n\n\n                iii. A plan to accredit systems security will be completed by\n                     September 30, 2006.\n                iv. A mechanism to track and prioritize security weakness\n                     correction efforts will be deployed by May 31, 2006.\n                 v. All employees will complete training for calendar year 2005\n                     by October 31, 2005. The NTSB training officer will prepare\n                     a plan to ensure that all employees receive security awareness\n                     training annually, by December 31, 2005.\n\nRecommendation 3: Direct the Chief Information Officer to take immediate\nactions to enhance network security by:\n    a) Enhancing security protection of passwords on network routers, such as\n       using stronger password encryption;\n       Response: Concur.\n\n      Following the IG\xe2\x80\x99s audit, the NTSB configured the Internet router with\n      vendor provided strong encryption per NIST guidance (Router Security\n      Configuration Guide v1.1b, 12-05-2003).\n\n      The NTSB will take the following actions as established by NIST\n      guidelines and standards by October 20, 2005:\n\n          o   Shutdown all unneeded services\n          o   Apply additional access filters to restrict remote access and attacks\n          o   Limit remote management to internal, encrypted sessions only\n          o   Implement router logging capability\n\n   b) Developing procedures to ensure computers are properly configured\n      before being implemented for production use;\n      Response: Concur. An interim procedure will be completed by October\n      20, 2005 and a final procedure by December 5, 2005.\n\n   c) Providing proper training and performing vulnerability assessments of all\n      network computers with the acquired scanning tool on a regular basis;\n      Response: Concur. The Chief Information Security Officer and his backup\n      will receive scanning tool training or if appropriate training is unavailable,\n      a contractor will provide scanning services by December 24, 2005. A plan\n      for periodic vulnerability scanning will be completed by October 13, 2005.\n\n   d) Establishing network security incidents monitoring and response\n      capabilities.\n      Response: Concur. The NTSB will complete a plan and policy for network\n      security monitoring and response capabilities, including an assessment of\n      alternative reporting, by December 5, 2005.\n\nReport No. FI-2006-001\n\x0c                                                                    Page 4 of 5\n\n\n\n\nDOT IG RECOMMENDATIONS:\n\nSCHEDULE\n\n  October 1, 2005:       Following the IG\xe2\x80\x99s audit, the NTSB configured the\n                         Internet router with vendor provided strong encryption\n                         per NIST guidance (Router Security Configuration\n                         Guide v1.1b, 12-05-2003).\n\n  October 7, 2005:       The CIO will report daily to the Managing Director on\n                         progress until October 31, 2005, and then monthly\n                         thereafter.\n\n  October 20, 2005:      The NTSB will take the following actions as\n                         established by NIST guidelines and standards:\n\n                            1. Shutdown all unneeded services\n                            2. Apply additional access filters to restrict remote\n                               access and attacks\n                            3. Limit remote management to internal, encrypted\n                               sessions only\n                            4. Implement router logging capability\n\n  October 31, 2005:      The system inventory and FIPS 199 risk assessment\n                         for all systems will be completed.\n\n  October 31, 2005:      The system inventory will be completed.\n\n  October 31, 2005:      All employees will complete training for calendar year\n                         2005.\n\n  October 31, 2005:      A plan for periodic vulnerability scanning will be\n                         completed.\n\n  November 30, 2005:     If the 10-31-05 final assessment identifies any high-\n                         risk systems, defined as systems which the loss of\n                         confidentiality, integrity, or availability of the system\n                         could be expected to have a severe or catastrophic\n                         effect on organizational operations, organizational\nReport No. FI-2006-001\n\x0c                                                                     Page 5 of 5\n\n\n                         assets, or individuals, the NTSB will complete a plan\n                         with milestones for remediation for any high-risk\n                         system.\n\n  December 5, 2005:      An interim procedure will be completed.\n\n  December 5, 2005:      The NTSB will complete a plan and policy for network\n                         security monitoring and response capabilities,\n                         including an assessment of alternative reporting.\n\n  December 24, 2005:     The Chief Information Security Officer and his backup\n                         will receive scanning tool training or if appropriate\n                         training is unavailable, a contractor will provide\n                         scanning services.\n\n  December 31, 2005:     The NTSB training officer will prepare a plan to\n                         ensure that all employees receive security awareness\n                         training annually.\n\n  January 9, 2006:       A plan of action with milestones for the\n                         accomplishment of certification and accreditation for\n                         all remaining systems and major applications will be\n                         completed.\n\n  January 9, 2006:       Security plan guidance will be completed.\n\n  May 31, 2006:          A mechanism to track and prioritize security weakness\n                         correction efforts will be deployed.\n\n  September 30, 2006:    A plan to accredit systems security will be completed.\n\n\n\n\nReport No. FI-2006-001\n\x0c'